A recent survey shows that business folks are doing an end run around corporate IT by adopting cloud services

InfoWorld|Apr 23, 2010

A Ponemon Institute survey recently piqued my interest. In the 2010 Access Governance Trends Survey, 87 percent of respondents said too many employees were able to access information that should have been out of reach. And guess what? Cloud computing was a factor -- 73 percent of respondents said that cloud-based applications were enabling business users to skirt organizational controls.

The core issue is IT's loss of control over its assets, including data. Let's face it -- departments are sick of waiting for development and deployment of core business applications or infrastructure services, and they're going directly to a cloud computing provider to get what they need. Think of it as a kind of technological infidelity.

Going around IT and straight to the cloud has become common practice in the last few years. Salesforce.com built its business selling directly to the sales staff rather than to IT; eventually, IT was forced to accept SaaS (software as a service) after the fact. I've watched those battles firsthand.

Today, things are even worse. Now you can get storage as a service, database as a service, and even complete application servers and app dev platforms that are delivered on-demand. With such endless resources available, corporate fiefdoms are creating so-called rogue clouds -- their own array of cloud computing services, including data repositories, that they alone control. IT may not have a clue about what's going on.

The trouble with the rogue approach is that there's no way to ensure that data is handled in accordance with corporate policies. Worse, that data may come with compliance issues, including personal medical or financial information where the law dictates how the data is handled and where it can reside.

IT can implement a few measures to correct this. First, if IT meets the business requirements of its internal clients, then those clients have no reason to look for other options. Second, IT needs to publish and promote data governance policies within the company. Violations most often occur due to a lack of understanding, rather than deliberate subversion.

IT may never have the bandwidth to prevent business folks from looking outside the firewall for the services they need -- after all, that's a big reason why cloud computing exists. Users are going to take matters into their own hands when they need to, not for malicious reaons, but to get things done. If the rules for handling data are crystal clear from the start, then "going rogue" to the cloud has far less potential to damage the business.